Save Facebook … from “Dark Facebook Groups”

Posted on June 21, 2016 by Vijayashankar Na

It will appear strange that Naavi is calling for “Save Facebook” when most think that it is in great shape and thriving to challenge Google today which itself has dwarfed even Microsoft. But for those of us who have seen Napster and Orkut go into oblivion and Bitcoin becoming too shady to touch, the possibility that Facebook may also go the way of these “Once giant and now an orphan” group of activities is becoming visible and motivating me to start this initiative on a trial basis.

Since Facebook has gained a greater proximity to our society and today even the not so IT savvy persons around us are becoming addicts of Facebook there would be undesirable consequences around us if Facebook fails and more so if it falls into the hands of criminals as a platform of their communication more than that of the law abiding Netizens. Whenever some regulations affect the freedom of expression in the social media, all of us jump to defend the media and its sovereignty. (…though Naavi never supports the concept of “Freedom to Abuse” as being part of “Freedom of Speech” as many others may consider)

While speaking on a TV channel a few days back, I had suggested that in order to bring some orderliness to the use of Facebook for the benefit of the society, people should organize themselves into “Special Interest Groups” and try to follow an ethical and useful way of using Facebook as a medium of communication. (This also applies to other social media vehicles including WhatsApp.

Now I am looking at the other side of what my suggestion pointed at which unfortunately is not so palatable and is actually a threat that is looming over our heads. This threat arises from the misuse of the “Facebook Groups” by criminals and terrorists which needs to be checked by all of us who consider that Internet is good and Social Media is also good and needs to thrive.

Facebook provides three different privacy settings for the “Groups” namely, “Public”,”Closed” and “Secret”. Most of us who use Facebook as a medium of communication to the world at large prefer to use the “Public” mode and allow the postings to be picked up by search engines and read by all Any body can join the group and post on the group.

Those who have certain reservations on who can post on a given group and some who want to use it as a communication only among friends, use the “Closed” settings so that though the content is visibe to all, only “members” have access to the information posted there in only if they are invited or endorsed by an existing member.

The groups designated as “Secret” are not visible to non members and also to search engines and remain  truly private platforms. In a way this affords the highest privacy and is good for some groups.

However, of late, it has been observed that this “Secret Groups” are being created by anti social elements including terrorists to communicate among themselves. They are trying to entice children in particular and other vulnerable sections of the social media users to become members and thereafter exploit them.  When our children are members of such group,s we never know if they are in the midst of a bad company.

Such groups may be used for distribution of “Drugs” and by “Pedophiles” and may be other “Cyber Criminals” of any description.

If Responsible Netizens” donot take preventive steps today, soon we may find that more and more such “Dark Facebook Groups” will emerge and lure innocent persons as targets of crime (such as child abuse) or as tools of crimes (such as mules in a phishing fraud).

At the same time,such groups may be used for spreading terrorist messages and radicalize the members of the society and later to recruit them for terrorist acts including the dreaded “Lone Wolf Attacks” which are extremely difficult for the law enforcement to detect and prevent.

Once this trend becomes more rampant, we can expect law enforcement to turn more aggressive and start squeezing for more and more access to private conversations and users resorting to encryption of different types to avoid them. Then law enforcement will further tighten the “Right to decrypt” and make life difficult for honest citizens.

Since “Security” is always a priority over “Privacy”, in the end we all have to support measures which some may find “Draconian” but others find it inevitable. Then there will also be Snowden leaks, Neera Radia tapes or Essar tapes and every body starts blaming the system.

Ultimately a day may come when honest people will leave Facebook and the entire Facebook may become part of an underground movement against the society. This is precisely the danger which Bitcoin finds itself in at present.

Since I donot want this to happen, I call for this campaign to “Save Facebook” through an effort of the “Responsible Netizens” who shall be also the “Watchdogs of the Social Media”.

For this purpose I have created a separate Facebook group and invite members to participate in its activities to contribute towards “Responsible use of Facebook”. Though Naavi.org itself was born under this concept “Let’s Build a Responsible Cyber Society” and since 1998, Naavi has been trying to do whatever is required to meet this objective, to tackle the growing menace of the Dark Facebook Group, it is considered that it is better to have a Facebook group itself.

What this group essentially has to do is that if the members come across any activity on the Facebook that indicates an “Anti Social” tendency, a redflag will be raised in this Special Interest Group (SIG). This is just for the information of the members and when required to be shared with the law enforcement.

Members will ensure that they will be careful not to do anything that may be considered defamatory in the process and when in doubt will get their postings moderated.

The group is named “Let’s Build a Responsible Facebook“. (Name can be changed if a better name is available).

I will send invitations to my facebook friends separately. If you like the idea, you can join and contribute. “My Facebook Profile is available under www.facebook.com/naavi

I once again call upon all Responsible Netizens who want to prevent misuse of Facebook to join the group and use it to put in their message.

Naavi

Posted in Cyber Law | Leave a comment

Raghuram Rajan exits.. Media starts its games once again.

Posted on June 19, 2016 by Vijayashankar Na

The media including the otherwise respected Economic Times and CNBC TV  all predicted dooms day for Indian economy if Rajan is not given a second term. It was funny to observe that even Mr Narayana Murthy of Infosys made a suggestion that Rajan deserves not one renewal but two at one go.

Now that Mr Rajan has decided to call it quits, all these people should accept that  their attempt to manipulate the process of appointment of an RBI Governor which is the prerogative of the current Government has not been successful and keep quiet.

All said and done, Mr Rajan was a personal choice of the previous Finance Minister Mr Chidambaram who is a tainted with issues such as  the Ishrat Jehan files involving National Security issues  and that should be sufficient to cause distrust of Mr Rajan by neutral observers.

Mr Rajan did not do enough to present himself as a person who is not pro-Congress during his tenure. The support he received from Congress in the last month and receiving till today is sufficient to vindicate the belief that Congress had a vested interest in his continuation and it was therefore a political decision to continue him or not.

The media which thinks it can influence every Government decision has now started its game once again by projecting Ms Arundhati Bhattacharya, the current SBI Chair person to the post of the RBI Governor. Media would love to have the “First Female Governor of RBI” as if it is a special qualification for a person to be female. This criteria is insulting even to Ms Arundhati and should never be advanced.

I however, consider the attempt of the media to project Ms Arundhati as faulty for a different reason.

We must understand that she is now the head of the biggest Commercial Bank in India and if there is any problem with the Banking industry including NPAs and Frauds, the biggest share of the same is with SBI.

The role of RBI Governor is one of the “Regulator” of Banks and therefore it is completely illogical that the current Chair person of one of the commercial Banks is made the regulator.

It is highly objectionable in principle and should be avoided at all costs.

Even if she is otherwise eligible for the responsibility, it can be considered only after a cooling off period of upto 3 years after she demits the current office.  Otherwise there would be a serious conflict of interest in her role.

Further, in Personnel Management, we all know the problem of “Role Fixation” that arises in a person when he is elevated to a higher position in the hierarchy. An SBI Chairperson will remain an SBI Chairperson mentally,  for some time even if she is made the RBI Governor and immediate switch over is not advisable from managerial principles.

Further, it should be understood that the RBI Governor’s position is that of a “Regulator”. One of the problems with Raghuram Rajan was that he had a “Role Fix” as an “Economist” and was weak in discharging his other functions as a “Regulator”. It is for this reason that on issues of security, fraud management etc, his contribution appeared wanting.

Any person who has watched the E Banking and Credit Card scenario in India will recognize that SBI was one of the problem Banks. It was operating its credit card operations through an outsource partners and fraud attempts and phishing was most rampant in SBI cards. There have been many E-Banking frauds indicating a weak information security position in SBI though its past image has endured in giving a picture of a sound Bank.

The recent incident where SBI was caught transferring Rs 720 crores in Cash (as claimed by them in certain press reports) in Tamil Nadu during elections cast a doubt on the integrity of SBI just as the old Nagarwala Case had proved how SBI was acting as a private Banker of Indira Gandhi. Ms Arundhati owes an explanation to the country on this incident which she is yet to come up with.

I wish Mr Subramanya Swamy raises this question in the Parliament.

There is no doubt that ex-Bankers like us hold SBI with lot of respect for their systems and procedures as well as their manpower training systems. However, in the generation of E-Banking, the same efficiency does not seem to have been carried through. Now that SBI will be saddled with the “Subsidiary Merger Issues”, there will be chaos in the Bank in the next three years and it would be best if Ms Arundhati is left to handle the challenges of merger rather than be moved out.

If Ms Arundhati is made the RBI Governor, I see the possibility that many of the frauds in SBI will be suppressed and there will be a greater mess to deal with on a later date. Even issues such as the Vijay Mallya issue will become complicated if the SBI Chair person becomes the referee.

I therefore request media to stop speculations and supporting any one person for the job of the RBI Governor. Let this be handled professionally. More the media tries to support a person, it will be seen as a PR exercise and there will be many who will oppose. This is not good even for the incumbent candidate.

If Ms Arundhati is intelligent, she should immediately issue a statement that she would not like to be considered for the post at this point of time. This will prevent further embarrassment to her.

My personal view is that  the RBI Governor’s position is best managed by one of the current Deputy Governors, the best of whom can be elevated. We donot need a Noble Laureate and an economist  but a hard nosed regulator to manage RBI. Then the Governor will focus on Bank regulation rather than poking his nose into the Financial Minister’s work.

Certainly it is wrong to think of  current Chair persons of SBI or ICICI Bank or Axis Bank for the post even if they have been efficient in their past assignments and they all would create history of being the First Female RBI Governor of India, if it is a desirable thing. If such a decision is taken, remember “Peter’s Principle” and pray for the welfare of the  Indian Banking Customer.

Naavi

Also Read Old articles on NBFC policy issues (These are 1998 articles and to be seen in that context)

 

Posted in Bank, RBI | 3 Comments

Hacking may be your passion… Are you making it a gate pass to Jail?

Posted on June 14, 2016 by Vijayashankar Na

Naavi.org has time and again warned security specialists about bragging about their hacking exploits on the web.

On August 25, 2010, Naavi.org had brought to the notice of public how a senior software professional from Hyderabad working in a leading software company had bragged on his blog about a tool to hack IRCTC booking system. After realizing his mistake, the professional had withdrawn the web post which made the tool available free to public.

Again , in this article “Developer or Virus Writer” written on May 18, 2013 with reference to a news report ,it was highlighted that a legitimate Apple Developer ID holder had released a malware that could bypass Apple’s Gatekeeper.

The point we were making in these incidents was that security professionals without knowing the legal consequence of their activities and more particularly about the publication of their activities land themselves in problem.

Today I came across another LinkedIn posting which states as under:

“Hacking Windows 10 was one of my topmost priorities since the beginning of this year. Finally I did it. “

The post has been made by a Cyber Security professional and explains how Windows 10 can be hacked and a payload can be unauthorizedly introduced.

He posts

“Good evening friends. Hacking Windows 10 was one of my topmost priorities since the beginning of this year. Finally I did it. Hercules  is a special payload generator that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how to hack Windows 10 with this tool.”

One can feel the excitement of this hacker who volunteeers that he was planning this hack for a long time and finally has succeeded. He goes on to remind people that the payload generator used has “features” such as “keylogger” which make it “too cool”. Then he goes about explaining step by step how the payload can be dropped onto an unsuspecting computer user working on Windows 10 as well as Windows 7 and Windows 8.

Many other security professionals may hail this as “Great”.

But let me remind this security professional that if Microsoft lodges a formal complaint or if the Police or an Adjudicator takes suomoto cognizance that this article is providing guidance to public and criminally minded script kiddies to place a “Computer Contaminant” and “Keyloggers” into a user’s computer, it may tantamount to an offence under ITA 2008 which is cognizable.

The security professional then has to try to hide behind the fact that before the software is finally installed there would perhaps be a screen asking for the user’s permission and only if the user says “Yes” it will proceed.

Legal professionals will however clarify that even if the user clicks “Yes”, his “Permission” has been obtained by “Deceit” and will be considered invalid.

I consider this action and the publication as some thing similar to a murderer going to town with an advertisement that

“I wanted to check if I can murder a person with a new poison that I have detected. I am glad to announce today that I have succeeded. You can also use the poison and here is how to make it”

God bless the security professionals who think this is the way to expose their security skills.

I have posted a note on the person’s LinkedIn profile and look forward to receiving his reactions.

(P.S: I will post a link to this article in some groups which contain not only Police officials like Dr Triveni but also several vocal cyber security professionals. It would be interesting to watch their reactions.)

Naavi

Posted in Cyber Law | 1 Comment

Will Cooperative Banks be a Security hole in the Indian Banking industry?

Posted on June 12, 2016 by Vijayashankar Na

The recent developments in RBI with the issue of “Cyber Security Guidelines” on June 2, 2016 and formation of an IT Subsidiary which apart from overseeing the internal IT operations will guide the regulated Banks also has created a renewed thrust on Information Security across the Banking organizations in India.

When we discuss such issues, we often focus on the top Public Sector and Private Sector Banks and forget that Indian Banking system has hundreds of Cooperative Banks of various categories licensed to accept deposits from public and are important for the financial welfare of the citizens. Some of these Cooperative Banks are big enough to be considered as significant players particularly in a restricted area of operation.  Some of them have adopted technologies of Internet Banking, ATMs and credit cards. They need to adopt security practices that are on par with the larger Banks since the risks they face are similar. However, these Banks have lesser access to required skilled manpower to advise them on Information Security and also lesser resources to deploy for security beyond the investments already committed to IT infrastructure and operational training.

As a long term observer of the Banking industry, I can foresee this sector becoming a “Security Hole” in the Indian Banking industry unless the managements wake up and initiate quick action to set things right. RBI and State regulators also need to initiate action that is required to ensure that these Banks have the necessary information security implementation that is recommended vide various RBI circulars.

As of a recent date, 172 Banks in India operate NEFT and this list includes many cooperative Banks and Grameena Banks. 154 Banks have been permitted Mobile Banking which again includes man Banks outside the well known public sector and private sector Banks. 44 Banks are permitted to issue Prepaid Cards. Soon many of them will also issue credit cards either co-branded or otherwise. In addition, RBI licenses payment Banks and wants to issue Banking licenses on tap.

All these liberalized approach to Banking regulation and adoption of new technology has diluted the security of Banking from the customer’s perspective.

While RBI has refused to force Cyber Insurance responsibility on Banks, it has from time to time issued guidelines and notifications that mandate information security practices in these Banks. It is a moot point however whether these small and micro banks have the capability to implement the guidelines and whether RBI is monitoring the implementation.

In this context we can view the impact of the circular of November 2, 2015, in which All licensed StCBs, DCCBs and UCBs which have implemented CBS and migrated to IPv6 and complying with the regulations mentioned in the circular may offer Internet Banking (View only) facility to their customers without prior approval of RBI.

Further, those who satisfy other criteria listed in the circular  on Networth, NPA etc will be permitted transactional facility “With Prior Approval” of RBI.

Some of the key criteria included in the annexure to these circulars are interesting to note and are summarised here. (Detailed circular is available here)

  1. Bank should formulate and Internet Banking and Information Security policy and obtain approval of the Board and such policy should ensure confidentiality and security addressing legal, regulatory and supervisory issues mentioned in the circular.
  2. Banks should put in sound internal controls and provide adequate disclosure on risk, responsibilities and liabilities to the customers before offering the facility.
  3. There should be clear segregation of duties between IT and IS divisions and there should be a separate designated IS officer and IS auditor as well as a Network and Database administrator.
  4. Banks should ensure that there should be no direct connection between the Internet and the Bank’s system.
  5. All computer access including messages should be logged.
  6. Suspected security violations should be recorded and follow up action taken.
  7. Periodic penetration tests should be conducted.
  8. Should have proper back up and business continuity plan.
  9. Should follow the guidelines provided in the April 29, 2011 circular on Internet Banking (GGWG Guidelines)

The Circular has also highlighted the following legal issues:

  1. Banks may provide Internet Banking facility to a customer only at his/her option based on specific written or authenticated electronic requisition along with a positive acknowledgement.
  2. Considering the prevailing legal position, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about the integrity and reputation of the customer opting for internet banking. Therefore, even though request for opening an account may be accepted over Internet, accounts should be opened only after verification of the identity of the customer and adherence to KYC guidelines.
  3. From a legal perspective, security procedure adopted by banks for authenticating a user needs to be recognized by law as a substitute for signature. The provisions of the Information Technology Act, 2000, and other legal requirements need to be scrupulously adhered to while offering internet banking.
  4. Under the present regime, there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts/information. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking / technological failures. The banks should, therefore, have in place adequate risk control measures to manage such risks.

The guidelines also highlight the security features to be adopted. In particular, speaking on the authentication, the circular says

“There is a legal risk in not using the asymmetric cryptosystem and hash function for authenticating electronic transactions.

For carrying out critical transactions like fund transfers, the banks, at the least,

need to implement robust and dynamic two-factor authentication through user id/password combination and second factor like

(a) a digital signature (through a token containing digital certificate and associated private key, preferably for corporate customers) or

(b) One Time Password (OTP) / dynamic access code through various modes (like SMS over mobile phones or hardware token).”

Though the OTP is provided as an alternative, it is important for Banks to remember the “Legal Risk” that RBI has warned the Banks of. In the GGWG circular, special mention had been made on the S.Umashankar Vs ICICI Bank case and hence Banks should be wary of introducing any systems which is not ITA 2008 compliant.

All said and done, one cannot deny that RBI is providing information security guidelines from time to time and the ball is transferred to the Court of the Banks to implement them or face the “Legal Risk”.

While larger Banks have the access to necessary expertise in the form of well qualified and informed CISOs, the smaller Banks will not find it easy to access either professionals or technology for managing their information security at affordable costs.

However, since these Banks cannot ignore security, they need to find a solution to this challenge of  “Information security at affordable cost” and if they ignore this responsibility, they will be facing undue business risks that may pose a grave survival risk. Many times genuine business problems leading to financial failure in these institutions will be unfairly interpreted as a “Fraud” and “Scam” and adversely publicized by the news hungry media leading to arrest and humiliation of the Directors even when they are honest.

I therefore request all the Directors of small Banks including Co Operative Banks to immediately bestow their attention on reviewing their “Compliance Status” and build a “Compliance Shield” to protect them from adverse developments.

Naavi is trying to work out a suitable strategic solution to such small Banks to harden their security posture at a reasonable cost.

Naavi

Posted in Cyber Law | Leave a comment

The Mystery Land of Cyber Insurance-3: Who should get Cyber Insurance Cover?

Posted on June 11, 2016 by Vijayashankar Na

Naavi  has been an advocate of Cyber Insurance for a long long time. However, the market seems to be dragging its feet either because the insurance companies are too scared to touch the unknown risks involved or the insurance seekers are not pushing them for the service. To understand the status of the Cyber Insurance industry in India, a Cyber Insurance Status study  titled “India Cyber Insurance Survey 2015” was undertaken. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the study was being planned, one of the discussions was whether we should call it a “Cyber Insurance” or “Cyber Crime Insurance”. Though ultimately it was decided that the nomenclature would not make any difference, the discussion highlighted the dilemma on what should be the driving force for a “Cyber Insurance Policy” and who should be the beneficiaries of such an insurance.

The survey obtained different responses on this aspect through multiple questions. However one of the direct questions asked was who should be covered in the Cyber Insurance policy.

The response was

–100% agree that corporates are to be covered

–Only 58% consider individuals are to be covered

–74% want Non Commercial organizations also to get cover

Most of the respondents were professionals working in organizations and hence it was natural that 100% of them wanted the insurance to cover the corporates.

However, it was significant to note that only 58% thought that Cyber Insurance should cover Individuals and 74% said that it should cover other organizations such as NGOs.

It was intriguing that 42% of the respondents who are also individuals in their own right and are exposed to personal cyber crime related risks did not consider that they needed insurance protection.

One of the reasons why such a self defeating opinion was expressed was that perhaps many did not believe that there could be a Cyber Insurance policy that can cover individuals.

A minority of them might have felt that if corporates are covered, individuals also may be indirectly protected.

There is no doubt that Cyber Risks affect both individuals and corporates and most of the times, individuals are affected through breaches at the corporate level.

However in the current status of digitization of Commerce and Governance in India, it is important to realize that individuals are getting exposed directly to Cyber Crime related risks and Organizations are using loopholes in law and their bullying strength to escape liabilities when the ultimate loss can be shifted to the individuals.

Naavi has been in the forefront of the fight for Netizen’s protection particularly in cases involving Bank frauds where the “Intermediary Responsibilities” under ITA 2008 have been invoked to argue that Banks and other intermediaries should pick up the liabilities arising out of cyber crimes such as Phishing.

The Government of India under the Digital India program has placed increased reliance on Aadhaar and JanDhan yojana which are exposed to high risk of mass security compromise. I have brought it to the attention of the Government including the PMO that in the coming days, the JanDhan Yojana could be the target of cyber attack since it not only can help the attackers to siphon off money, but also discredit Mr Modi before the next elections.

The risk is so daisy that political parties in India which have no qualms of supporting Pakistani terror groups even by falsifying records and blaming patriotic soldiers of the country as the kingpins of terror, may themselves attack the e-Governance systems and cause havoc. If this risk materializes, then the burden of such attack will be on the individual members of the public. Political parties may use mass attacks on e-Governance projects as a tool for their political gains unmindful of the damage that it may cause on the citizens like you and me.

It is for this reason that Naavi has strongly felt that Cyber Insurance should be a mandatory protection that Government should organize for users of JanDhan Yojana as well as the Mobile and Internet Banking customers.

When RBI wanted to consider new Banking licenses, even the RBI Governor was sounded out with a request that new licensees need to be mandatorily required to provide Cyber Insurance cover for their customers. Unfortunately, the sights of the RBI Governor Mr Raghuram Rajan was so far removed from safe E-Banking that there was no attempt to impose such responsibilities on the new banking licensees.

We can therefore say that both the Government as well as the RBI have for now rejected the need for individuals to be protected by Cyber Insurance and our respondents seemed to reflect the same attitude.

When it comes to coverage of risks in the corporate environment, while the “Own Damage” coverage refers to the loss suffered directly by an insured company, the “Liability loss ” depends on the loss suffered by the customers of the company. If these customers are directly covered by the insurance, then the liability of the company in which the breach occurred would automatically get reduced.

For example, if there is a group insurance scheme under which all the customers of a mobile banking application are insured to the extent of say Rs 5000/-, then when a breach occurs at the application owner (say a Bank) and individuals suffer a loss, the liability that the Bank needs to cover gets reduced to the extent the individuals are already covered.

Hence, if individuals are provided Cyber Crime insurance cover, it only acts as a sub limit in the coverage of the organization in which the breach occurred.

 The reason why Insurance coverage to individuals are preferred is that such a cover will provide an opportunity to harden the security at the individual level since individuals will now see a direct benefit in following security practices mandated by an insurance company before the claims could be settled.  After all, the insurance companies will have plenty of excuses to deny the claim if the individual has compromised on an of the security principles.

I therefore still advocate that Cyber Insurance should be extended to individuals to enable them take direct insurance at a low cost and also as a “Group” associated with any organization.

If any Insurance Company is innovative, they can encourage many self help groups to collectively insure themselves against defined Cyber Crime risks even outside the ambit of the Banks.

For example, as an administrator of a WhatsApp group on Information Security, I may seek cyber insurance for all my members using say mobile apps such as Paytm, Ola Money, iMobile etc. subject to a maximum of say Rs 5000/- per member per incident. I will simultaneously build awareness of the security requirements with all the members so that majority of them will follow the security practices.

I suppose this would be a manageable risk for the insurance company and can be priced with a nominal premium. In the process, it would also encourage all the members of the group to follow a certain discipline.

I am aware that individuals would like to be covered for much more than Rs 5000/- but this could be a good beginning to cover mobile related risks. At the same time, higher coverage can be provided outside the group insurance scheme.

Similarly, companies and educational institutions may encourage all their employees or students to obtain a group Cyber Insurance to protect themselves from losses arising out of Cyber Crimes outside the company’s own activities, undertaking to build awareness of security amongst its employees. Slowly the aggregation of such groups will provide a large base of insured Netizens and not only generate enough revenue to the Insurance company but also make the society more secure.

This is an illustration and many other strategies can be developed by self help groups and Banks to improve the security culture in the society using the insurability as an incentive. This will be beneficial both to the society and to the insurance company itself.

At the same time, I consider that it is the duty of the Government and RBI to mandate Cyber Insurance at the Bank level so that the risk of loss is reduced at the gross level. The Government has already instituted many insurance proposals for farmers and rural folk and RBI has reiterated the need for Cyber Insurance in its policy guidelines. What is now required for them to do is just take steps to implement Cyber Insurance also in such a manner that users of Digital India services will be protected from financial losses.

Hope the PMO is listening…..

Naavi

Posted in Cyber Law | Leave a comment

The mystery land of Cyber Insurance-2: What is Cyber Insurance?

Posted on June 10, 2016 by Vijayashankar Na

Naavi along with some of his friends embarked upon a Cyber Insurance Status study in India titled “India Cyber Insurance Survey 2015”. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the exploration of the Cyber Insurance land was contemplated, it was known that knowledge about the concept of Cyber Insurance was low in the market. Hence the expectations of the study was set low. There was no surprise here to find out that the penetration of Cyber Insurance in India was low. Some of the reasons for such a status despite the growing Cyber Crime threats is analysed here.

Penetration Levels:

Let us analyze one set of the responses which indicated as under:

 92 % of the respondents who represented different IT user entities had no experience of taking Cyber Insurance.

54% of the respondents stated that they are unlikely to consider in the near future.

90% said that they will consider only if they suffer any loss in a cyber attack.

74% said that they will consider only of they have an attack on themselves.

72% said that they may consider if a suitable product at a right price is available and 80% said that they will consider if there is a mandate. 

The respondents were all senior professionals from IT sector and included CEOs. For 54% of them to say they are unlikely to consider Cyber Insurance in near future was very disappointing.

The fact that 90% said that they will consider only if they suffer a loss indicated the dreaded syndrome of “Closing the stable  doors  after the horses have bolted”.

I can categorically state that many of the organizations may either not survive after their first attack or may get so badly battered that their survival after the attack would be an unending struggle.  None of us know what is in destiny for us. But for us to take the Cyber Risks so lightly is nothing short of recklessness and readyness to commit harakiri.

I therefore strongly advocate entrepreneurs of all kinds to shed their complacence and take a look at the need for Cyber Insurance.

I also want to highlight here that the need for Cyber Insurance is more for the entrepreneurs than the Cyber Security professionals since the business risk lies mostly with the entrepreneurs and their investors. If a company faces a fatal attack, the Cyber Security professionals will easily walk out and settle in another company enriched with their experience. Their loss is for a limited time and can be overcome. But for the entrepreneur, loss of his dream project may be the end of the world.

Hence it is the Company promoters, Directors and Investors and Business Managers, who need to watch out for what I am set to say on Cyber Insurance through these columns.

Cyber Insurance is part of Cyber Security Management

Cyber Security professionals who understand that Cyber Security management consists of the four strategies of ” Risk Mitigation,  Risk Transfer, Risk Avoidance and Risk  Absorption” and “Risk Transfer” is achieved through Cyber Insurance should also need to watch out. After all they are senior professionals today and many of them will be owners of business in the Start Up revolution that is sweeping our country.

The first reason why a responsible professional is not keen on Cyber Insurance, is that there is less than needed understanding of what is “Cyber Insurance”. Let us therefore try to address this issue first.

Two Components of Cyber Insurance

Cyber Insurance has two major components. One is insuring self damage where losses suffered by the insured is covered by the insurer. The second is that when a Cyber incident occurs, the insured may suffer a liability to pay damage to an outsider. Cyber insurance also covers this as “Liability insurance”.

It is easy to understand this concept by looking at similarities or otherwise between Motor Insurance. In motor insurance, if an accident happens, the owner of the vehicle gets a compensation to pay for the repair of the vehicle. At the same time, under the motor vehicles act, if he is liable to pay damages to third parties, that is also covered.

Cyber Insurance is also like Motor Insurance and has the two components of “Own Damage” and “Third Party Liability”.

The “Cyber Incident” may happen due to many reasons. For example it can happen due to internal technical issues including physical issues such as electrical outage, flood, fire etc. It can also happen due to fault in the hardware or software. It can happen due to human failure such as negligence of employees. It can also happen due to malicious intentions of humans including insiders and unknown attackers from the wild.  In such attacks there are also those which are categorized as “Zero Day Attacks” which essentially means that until such an attack is revealed , even the manufacturer of the software/hardware does not know that a certain Zero day vulnerability exists in the system which he has in good faith sold to the IT user who is today facing a liability situation.

Asset Valuation Issues

A quick glance at the various reasons that can cause a loss which may come under the umbrella of a Cyber Insurance indicates why Cyber Insurance is complicated and poses a challenge not only to the insured but also to the insurance industry itself in structuring a suitable policy.

For example, for insuring “Own Damage” one needs to value the Cyber Assets. While it is easy to value the hardware and purchased software, for which there is a cost and a depreciation, the value of internal software development needs to be arrived at on an assessment. Also a huge part of the cyber assets is in the form of “Data” which is acquired at a cost. The resident data should therefore be valued.

Now check back with your CFOs if there is a proper valuation of the cyber assets reflected in the balance sheets and whether your current asset valuation policies for the purpose of P&L is well suited for claiming insurance.

Most companies have a system of writing off all software purchases as “Expenses” though its beneficial use is spread over several years. Hence many soft assets continue to be used much after they find no mention in the balance sheets. As regards the hardware, it is often the practice to retain a nominal value of Rs 1 in the balance sheet even after the value is depreciated for a conservative reflection of the P&L. A similar approach is required for any software acquired at a cost so that no asset remains outside the radar. When a cyber event occurs and the company has to regroup, what is relevant is “Replacement Cost” of the asset and not the depreciated value represented in the balance sheet.

Of course it would be convenient for the insurance company if the insured is stating that what he has lost is of “Zero Value” on the books while it costs a bomb to replace. Insurance company may simply value the assets at book value and deny any compensation.

There is therefore the first hurdle of “Asset identification and Valuation” for the purpose of “Cyber Insurance” on which the industry has to reach a convergence.  Perhaps the Chartered Accountants and the Institute of Chartered Accountants need to think if their asset valuation system needs to be reconsidered.

I would urge the Institute to consider valuation of IT assets on “Replacement Cost”.  Depreciation may be considered as first tier, second tier and third tier. The first tier depreciation would be the writing off of the cost over the estimated useful period of the asset. The second tier depreciation could be the conservative approach where assets are depreciated faster than their useful life as a conservative practice. The third tier depreciation would be the equalization amount which arises due to the revaluation of the asset at replacement cost.

If accountants follow this system of representing the asset value, then analysts can pick up either the replacement value or the book value as they please. Insurance companies may use the replacement cost for evaluating the compensation while share holders and SEBI may look at the lower asset value as a conservative estimation of profits.

Where software assets are developed within the company, there needs to be a valuation process which is today mostly absent. Only service companies who bill their services to their clients have a good system of evaluating their operational costs. Others ignore the internal development cost which gets debited to the P&L as an expense. There  is a need for maintenance of employee work record and assigning them to valuation of Work in Progress and later to the completed service. If this can be done, there would be a greater efficiency in the operation of many IT companies. This is of course the work of a Cost Accountant who can develop a system of valuing the service component which can be rightly priced for business purposes while at the same time providing the asset value for the insurance purpose.

Last item of asset is the “Data”. While the company can value “Data” on the basis of its acquisition cost, during a cyber incident leading to a liability  and insurance claim, what is relevant is not the asset acquisition cost but the loss which the victim has suffered and has claimed from the Company under the legal rights given to him under law.

Dependency on Compliance

This “Liability” estimation depends on the “Legal Compliance” status of the company such as “Reasonable Security Practice” and “Due Diligence” under ITA 2008 and also the Privacy Rights granted under the constitution or other laws.  Additionally the efficiency of our legal system where victims are aware of their rights and make adequate claim also will influence the losses which the company suffers and expects to be covered by the insurance policy.

Just as Liability insurance has a dependency on ITA 2008 compliance of the insured, the estimation of replacement value of soft assets has a dependency on the DRP and BCP status of the company. If a Company has an excellent DR and lost assets can be recovered in full without much cost, the replacement cost as well as the insurance liability will be reduced.

It is for this reason, that the survey has discussed in greater detail the Compliance status responses to which will be discussed in subsequent articles.

Declared Value of Assets

Practically, when an Insurance contract is written, the insured and the insurer have to identify the value of assets since it determines not only the liability but also the premium. The general practice is for the proposer to seek insurance based on the details furnished in the proposal form which will include the value of the assets to be insured. The insurer looks at the value and determines the premium.

Now it is possible that if the insured and the insurer is not on the same level of understanding, the contract may be vitiated by declarations that are made by the proposer which always works to the advantage of the insurer.

The insurance contract is considered as a “Uberrimae Fedei” contract or a “Contract of utmost faith” and in such contract the entire responsibility to make truthful declarations lies on the proposer. The insurance company can accept the declarations in good faith and later rescind the contract when a claim is made on the grounds that the proposer was aware of some adverse aspects which he did not declare during the insurance time.

The easily understandable example is when we take a health insurance and fail to disclose pre-existing diseases. While the insurer can accept the proposal, and charge a premium based on the declaration, if a claim arises, then the insurance company goes into an investigation mode and finds out that there was an pre-existing condition of the insured which would have altered the premium and risk and since it was not disclosed, the entire contract is declared invalid and claim denied.

A similar situation may arise in Cyber Insurance if the insured fails to declare earlier security incidents, weaknesses in its DR/BCP or other IS related issues. “Hiding Truth” is therefore not  a good strategy at the time of insurance and this is a challenge for professionals since they might have hidden the truth even from their own management in the past.  Hence a strong “Security Incident Management” policy and implementation is essential to write a robust insurance contract.

Another factor which insurers should remember is that in the event valuation of assets at the time of insurance is lower than at the time of the insurance claim, (When a re-assessment is made as a general practice) it may be considered as an event of “Under insurance” and the insurance company may decline to pay the full loss considering the shortfall as “Self Insurance”.

Hence it is important for the insured and insurer to agree upon a proper valuation system so that there will be no claim of “Under Insurance” or even “Over valuation” though there may be a natural appreciation or depreciation of the value for different reasons.

Need for Well Structured Policies

These complications are one of the reasons why perhaps 72% of the respondents to our study felt that they may consider Cyber Insurance if a suitable product at suitable price is available.

This also indicates what an insurance company needs to do now that it knows that 92% of the respondents are their potential customers who may consider such products.

If all the complications of asset valuation etc cannot be sorted out to mutual satisfaction, insurance companies will offer coverage with certain sub limits for different types of losses. Though this may not be a perfect solution for the insured, it represents a way forward for further refinement of the product.

(……Discussions To continue)

Naavi

Earlier Article in the series:

The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

Posted in Cyber Crime, ITA 2008 | 3 Comments